GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → flowcommerce → aws-credentials-broker

flowcommerce / aws-credentials-broker

Licence: MIT License
AWS Credentials Broker - Grants temporary AWS credentials for Google federated users

Programming Languages

go
31211 projects - #10 most used programming language
javascript
184084 projects - #8 most used programming language
HTML
75241 projects
Dockerfile
14818 projects
Mustache
554 projects
Makefile
30231 projects

Labels

reactawssamlgooglefederationoidcawscli

Projects that are alternatives of or similar to aws-credentials-broker

Keycloak
Open Source Identity and Access Management For Modern Applications and Services
Stars: ✭ 10,826 (+26965%)
Mutual labels:  saml, oidc
Hydra
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.
Stars: ✭ 11,884 (+29610%)
Mutual labels:  federation, oidc
authentik
The authentication glue you need.
Stars: ✭ 2,941 (+7252.5%)
Mutual labels:  saml, oidc
Pysaml2
Python implementation of SAML2
Stars: ✭ 371 (+827.5%)
Mutual labels:  saml, federation
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
Stars: ✭ 476 (+1090%)
Mutual labels:  saml, oidc
SATOSA
Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
Stars: ✭ 139 (+247.5%)
Mutual labels:  saml, oidc
casdoor
An Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML and CAS, QQ group: 645200447
Stars: ✭ 4,147 (+10267.5%)
Mutual labels:  saml, oidc
flaskoidc
A wrapper of Flask with pre-configured OIDC support
Stars: ✭ 33 (-17.5%)
Mutual labels:  oidc
kibou
Kibou is a lightweight federated social networking server written in Rust. This is only a mirror! The real repository is on https://git.cybre.club/kibouproject/kibou
Stars: ✭ 41 (+2.5%)
Mutual labels:  federation
mock-oauth2-server
A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer)
Stars: ✭ 83 (+107.5%)
Mutual labels:  oidc
okta-spring-security-5-example
Authentication with Spring Security 5 and Okta OIDC
Stars: ✭ 16 (-60%)
Mutual labels:  oidc
okta-ionic-auth-example
Example showing Ionic Authentication with Okta
Stars: ✭ 23 (-42.5%)
Mutual labels:  oidc
brauzie
Awesome CLI for fetching JWT tokens for OAuth2.0 clients
Stars: ✭ 14 (-65%)
Mutual labels:  oidc
aws-docker-toolkit
A lightweight dockerized version of the AWS CLI
Stars: ✭ 31 (-22.5%)
Mutual labels:  awscli
assam
Get a credential by AssumeRoleWithSAML for AWS CLI and SDK
Stars: ✭ 28 (-30%)
Mutual labels:  saml
cap
A collection of authentication Go packages related to OIDC, JWKs and Distributed Claims.
Stars: ✭ 328 (+720%)
Mutual labels:  oidc
fastapi-oidc
Verify and decrypt 3rd party OIDC ID tokens to protect your fastapi (https://github.com/tiangolo/fastapi) endpoints.
Stars: ✭ 24 (-40%)
Mutual labels:  oidc
gotosocial
Golang fediverse server.
Stars: ✭ 400 (+900%)
Mutual labels:  federation
hanatachi
Hanatachi is a free, open-source social network server for federated blogging
Stars: ✭ 18 (-55%)
Mutual labels:  federation
passport-saml-example
PassportJS SAML example
Stars: ✭ 118 (+195%)
Mutual labels:  saml
View All Similar Projects ➔

aws-credentials-broker

Build Status

AWS Credentials Broker - Grants temporary AWS credentials for Google federated users

This app when deployed in your AWS account can grant STS credentials to Google SAML federated users for use in the AWS CLI. The flow is as follows:

  • CLI directs users to the broker, for example https://aws-credentials-broker.example.org?callback_uri=http://localhost:1234.
  • The aws-credentials-broker uses its Google OAuth2 client credentials to initiate the OpenID Connect (OIDC) credentials flow.
  • Once a user has authenticated with Google, aws-credentials-broker uses its Google Admin Serive Account User to list the SAML roles associated with the authenticated user.
  • If the user has more than one account/role pair, a UI allows them to choose the account & role to assume.
  • When a user picks an account & role to assume the OIDC token granted by Google for the user is used with AWS to grant temporary credentials to the federated user.
  • The callback_uri is called with the STS credentials to store in the users' ~/.aws/credentials file.

Getting Started

Google Setup

  1. Create Google OAuth 2.0 client ID
  2. Create Google Service Account
  3. Setup Google Admin API Access - To read user SAML roles
    • Enable the Admin SDK in Google Develper Console
    • Enable Domain-wide Delegation for our service account user
    • Enable API access in Google Admin
    • In Google Admin > Manage API client access. Grant our service account client id the scope https://www.googleapis.com/auth/admin.directory.user.readonly

AWS Setup

Assuming you already have a SAML provider & roles setup for Google federated users. You need to add a trust relationship for out Google Client ID.

In our role we want to give to users, we need to edit the trust relationship policy document to add the following:

{
  "Version": "2012-10-17",
  "Statement": [
    ...
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:aud": "<our new google client id>"
        }
      }
    }
    ...
  ]
}

Environment variables

Key Description
ALLOWED_ORIGIN The URL of our broker app (e.g. https://aws-credentials-broker.example.org)
GOOGLE_ADMIN_EMAIL The email address of a Google Apps admin user (e.g. [email protected])
GOOGLE_CLIENT_ID The Google OAuth2 client ID
GOOGLE_CLIENT_REDIRECT The callback URL of our broker app (e.g. https://aws-credentials-broker.example.org/oauth/google/callback)
GOOGLE_CLIENT_SECRET The Google OAuth2 client secret
GOOGLE_SA_EMAIL The Google Service Account User email
GOOGLE_SA_PK The Google Service Account User private key, base64 encoded
HOSTED_DOMAIN The Google domain to filter users for, ignored if left blank (Optional)
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].